FROM python:3.11-slim AS builder

WORKDIR /build

# System packages required at build time only
RUN apt-get update && apt-get install -y --no-install-recommends \
        gcc \
        g++ \
        libgomp1 \
    && rm -rf /var/lib/apt/lists/*

COPY requirements.txt .

RUN pip install --no-cache-dir --upgrade pip \
 && pip install --no-cache-dir --prefix=/install -r requirements.txt


# ─────────────────────────────────────────────────────────────────
# Stage 2 — lean runtime image
# ─────────────────────────────────────────────────────────────────
FROM python:3.11-slim

LABEL maintainer="AliMusaRizvi"
LABEL description="DDoS Detector API — weighted soft-voting ensemble (XGBoost · LightGBM · Random Forest)"

# libgomp is needed at runtime by LightGBM
RUN apt-get update && apt-get install -y --no-install-recommends \
        libgomp1 \
    && rm -rf /var/lib/apt/lists/*

# Copy installed packages from the builder stage
COPY --from=builder /install /usr/local

# HuggingFace Spaces requires a non-root user
RUN useradd --create-home --uid 1000 appuser
USER appuser

ENV HOME=/home/appuser
WORKDIR /home/appuser/app

# Model cache goes to /tmp so the non-root user can write to it
ENV HF_HOME=/tmp/hf_cache
ENV TRANSFORMERS_CACHE=/tmp/hf_cache

# Disable Python bytecode writing and enable unbuffered logging
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

COPY --chown=appuser:appuser app.py .

# HuggingFace Spaces Docker SDK routes external traffic to port 7860
EXPOSE 7860

CMD ["uvicorn", "app:app", \
     "--host", "0.0.0.0", \
     "--port", "7860", \
     "--workers", "1", \
     "--log-level", "info", \
     "--timeout-keep-alive", "30"]